Entries tagged with ad - TechNet Edge

Active Directory Group Policy Object (GPO) Delegation and Approval Workflow With AGPM 3.0 in MDOP 2008 R2

yung — Mon, 01 Dec 2008 08:01:00 GMT

In the TechNet Webcast: Microsoft Solutions for Windows Vista Management (Level 300), I will demo a number of capabilities includnig Microsoft Advanced Group Policy Management (AGPM) 3.0 for managing Vista desktops and Windows environment in general. AGPM 3.0 is one of the 5 components in Microsoft Desktop Optimization Pack for Software Assurance (MDOP) 2008 R2. AGPM enables the change-approval workflow of Group Policy Objects (GPOs) and is something I thought worth a special introduction here. Meanwhile I am also developing a screencast and will publish it here soon.

AGPM is to help customers better manage GPOs, particularly those with complex information technology (IT) environments. A robust delegation model, role-based administration, and change-request approval provide granular administrative control as described in the overview whitepaper and shown below.

For example, you can delegate Reviewer, Editor, and Approver roles to other administrators — even administrators who do not have access to production GPOs. The Editor role can edit GPOs but not deploy them; the Approver role can deploy GPO changes. AGPM also helps reduce the risk of widespread failures. You can use AGPM to edit GPOs offline, outside of the production environment, and then audit changes and easily find differences between GPO versions. In addition, AGPM supports effective change control by providing version tracking, history capture, and quick rollback of deployed GPO changes. It also supports a management workflow by allowing you to create GPO template libraries and send GPO change e-mail notifications. Step-by-Step and Operations Guides of AGM 3.0 are also readily available.

For those who are interested in finding more, MDOP 2008 R2 was RTM in September of 2008. Here are demos, more demos, and FAQ. Subscribers can download MDOP 2008 R2 from the TechNet and MSDN subscription sites. The availability of the components is as follows through Microsoft Volume Licensing Service (MVLS):

The official MDOP blog is the channel to get the latest.

Server 2008 and Active Directory snapshot software at QBranch

David Tesar — Mon, 04 Aug 2008 07:01:00 GMT

Joachim Nasslander, Solution specialist at QBranch in Sweden, starts off by telling us about their own company's ~50 server and ~5,000 customer server environment which has been running Windows Server 2008 since 2006.

At 02:27 Fredrik Lindstrom, Developer at QBranch, tells us about active directory snapshot software he wrote to compare the snapshot versions and restore deleted objects and their values in AD. He tells us about some of the limitations and plans for the program moving forward.

At 4:06 Fredrik gives us a demo of the software.

You can download Fredrik's program here:
http://lindstrom.nullsession.com/?page_id=11

Learn more about Server 2008
Learn more about AD snapshots

Server 2008 - AD Backup and Restore PM interview

David Tesar — Fri, 11 Apr 2008 06:59:00 GMT

I met up with Stephanie Cheung, the program manager for active directory backup and recovery and we discuss:

What restartable AD is and when it is appropriate to use it
- Good for usage when you want to recover deleted objects without rebooting
- Bad for when you need to do a "bare metal" restore or have database corruption
Thoughts around when to do a "Dcpromo /forceremoval" versus restoring from backup. This includes discussion of restoring using install from media (IFM) and IFM for an RODC.
What the database mounting tool (DMT - old name "snapshot" tool) does and some ideas on what we're going to do to make recovery of deleted objects easier using DMT.
A best practice around preventing deletion of objects in AD (including the new "Protect object from accidental deletion" checkbox for objects).
Future thoughts for AD backup and restore, such as reducing forest recovery time
General disaster recovery tips

Windows Server 2008 - AD RODC PM interview

David Tesar — Wed, 19 Mar 2008 06:59:00 GMT

I met up with Gregoire Guetat, a program manager (PM) who has worked on Dcpromo, ADPrep, Replication Engine, and RODC. In this video, he tells us why the team decided to create the RODC, recommendations for best practices with RODC (RODC + Server Core and Bitlocker), his take on virtualization of DCs, why "USN Bubbles" are bad and why you can't have one on a RODC, tip on where the RODCs should point for DNS, explanation of details for two-staged DC promotions & Install from Media (IFM). Also, the DS team is planning on coming out with a white paper for guidance on having RODCs in the DMZ. He also tells us a couple other things which are coming up on the DS team and explains what interoperability there is currently with RODC and Exchange.

If you decide to tune into "Over the Edge" at ~20:45, you'll hear about where he's from in France, what are the best places to visit there, and also hear about his Whirlyball experience.

Windows Server 2008 Active Directory Auditing and FGPP PM Interview

David Tesar — Fri, 29 Feb 2008 07:59:00 GMT

Hear about Windows Server 2008 AD auditing and FGPP directly from the source! In this interview with Siddharth Bhai the program manager (PM) for this AD functionality, he gives us a bunch of great information.

For instance he:
- Explains the recommended practices on how to create password settings objects (PSOs) and delegate the permissions for these.

- Gives numerous reasons as to why the team made the decision for PSOs being assigned via groups and not OUs

- Tells us why the team didn't produce a more rich GUI tool to create PSOs (instead of the manual creation using ADSIedit)

- Describes why they made the decisions to include the new auditing features in WS08

- Simplifies the areas how to apply auditing (Global auditing, Schema, specific ACE per object)

- Shares thoughts on what might be coming up next with auditing and FGPP

Some resources referenced in this interview:
Windows Server 2008 Auditing AD DS Changes Step-by-Step Guide
Step-by-Step Guide for Fine-Grained Password and Account Lockout Policy Configuration

Server 2008 Active Directory IPD guide

David Tesar — Fri, 22 Feb 2008 07:59:00 GMT

In this interview, I met up with Charles Denny on the solutions accelerator team who is in charge of the infrastructure and planning guide for AD (this is the next generation of the (WSSRA) guides. We talk about the purpose of this guide and dig into information in the guide which might be useful to you such as his viewpoint on one of the most difficult business decisions which need to be made in an AD environment.

There is tons of documentation out there on how to technically do things with AD, but until now with the IPD, there is not very much with how to successfully design your infrastructure and the decisions which need to be made along the way. For instance, divestitures in deciding what forest design to choose is one important factor to consider. This guide will help you in migrating to Windows Server 2008 from a needed angle.

To take a look at the beta to the TS and AD guides, go to the Connect site by clicking here if new or here if already enrolled.

Also, the guides for the below can be found here:

Infrastructure Planning and Design Series Introduction

Selecting the Right Virtualization Technology

SoftGrid Application Virtualization

Windows Server Virtualization (for Windows Server 2008 virtualization and Virtual Server 2005 R2 SP1)

Linux / Samba / Unix and Microsoft Integration chat with Ralf Wigand

David Tesar — Thu, 29 Nov 2007 18:00:00 GMT

While I was at IT Forum, I attended Ralf Wigand's IDA406 session entitled: "Broaden your Active Directory Horizon – Linux Authentication" and thought it would be great to interview him. Ralf is on the IT staff from the University of Karlsruhe and has worked with Linux since the days of Minix.

In this interview we talked about where he currently commonly sees environment integration with Linux / Unix and Services for Unix (SFU), the benefits of each operating system platform, and where he would like to see the Microsoft / Linux integration story moving forward. He gives tips on common mistakes and best practices with integration of Linux/Samba and Microsoft servers and resources on where to go to make this happen.

What are your thoughts on Microsoft and Linux / Unix integration?

Windows Server 2008 - Active Directory Auditing Enhancements

David Tesar — Thu, 29 Nov 2007 01:00:00 GMT

I hope this post will act as a good reference point to be able to quickly understand the good and bad about new AD auditing enhancements and then enable you to dive deeper at will using the links in this article.

There’s nothing more exciting than auditing right? Well, check this out and hopefully it will spark some interest.

In Windows Server 2003 R2 and prior, the auditing of active directory certainly has not been a strong point. You would enable or disable global AD auditing for success or failures, set a SACL on the objects you wanted to monitor, and then typically one or both of the following would happen:

Your security event log fills up with way more security events than you’d ever hoped for, possibly wrapping or ballooning the size of the security log.
Auditing doesn’t actually provide enough information for you to make any use of the events which are recorded in the security event log. i.e. it only says who was successful at modifying the object, but nothing on the details of the value(s) which were changed.

In Server 2008, we are on a good path to fix this pain. Some of the key improvements to AD auditing are as follows:

You can limit the number of attributes which are audited for object types. For instance, you only want to know if the Employee’s Pay Level attribute is modified for all user accounts and nothing else.
Auditing is now broken into four categories: Access (same as 2000/2003), Changes, Replication, and Detailed Replication. The most interesting come from the new changes category:
- AD DS logs the previous and current values of the attribute. If the attribute has more than one value, only the values that change as a result of the modify operation are logged.
- If a new object is created, values of the attributes that are populated at the time of creation are logged.
- If an object is moved, the previous and new location (distinguished name) is logged for moves within the domain. When an object is moved to a different domain, a create event is generated on the domain controller in the target domain.
- If an object is undeleted, the location where the object is moved to is logged.

What are the downfalls?

You have to modify the schema in order to limit the number of attributes which are audited per object type. This isn’t really difficult, but it would be nice if there were some friendlier type way to do it.
You cannot view or modify the audit policy subcategories with the Local Group Policy Editor (GPedit.msc). You can only do this with the command-line tool Auditpol.exe.
As far as I can tell, you can’t limit auditing to different specific attributes for a subset of the same type of object. For instance, you would like to audit attributes X, Y, Z for all admin user accounts, but only attribute X for all regular user accounts. Of course you have some control over this with your SACLs…

Get Started:

Windows Server 2008 Auditing AD DS Changes Step-by-Step Guide
TechNet - AD DS: Auditing
Windows Networking Site AD enhancements overview
MS Directory Services Team Blog Post on WS08 Auditing Enhancements

Microsoft IT Active Directory Interview with Brian Puhl

David Tesar — Wed, 28 Nov 2007 00:00:00 GMT

We sat down with Brian Puhl who has been working for Microsoft IT (MSIT) on the deployment, maintenance, planning of their active directory infrastructure since around Windows Server 2000. Learn about how Microsoft does AD from the source and also the projects they're working on. A seamless experience for your corporate users inside the corporate network and out on the internet, without using a VPN? Smartcard login/authentication for all MS employees? Average of 1 Schema change every 4 months?